Happy Birthday Morris!

Randy Abrams recently pointed out to me that today is the 20th anniversary of the Morris Worm. For all you kids out there who have no recollection of this event, I’ve just posted a blog at http://www.eset.com/threat-center/blog/?p=165 that recaps on the worm and includes some relevant references, but right now I want to expand on a thought I had while I was writing it.

The Morris worm was very much of its time. It was a proof of concept (actually of several concepts) item of malware that showed a certain interest in and knowledge of some vulnerabilities that were current at that time (mostly a fingerd buffer overflow exploit and a somewhat flaky implementation of sendmail debugging), and was clearly meant to be self-launching. Most current malware, while it may well use drive-by downloads and other exploits, seems to use some form of social engineering. So maybe the earlier CHRISTMA EXEC worm was the real pioneer, with its mass mailing payload and its chainletter appeal to the gullibility of the victim. Well, we can draw dotted lines between old and new malware from now to Christmas, which is the sort of thing that interests saddos like me but doesn’t necessarily gain us much in terms of securing the internet.

Looking through some historical resources, it strikes me that there are some moments in malware history that not only define the time, but in some way draw a line under it, though Morris was followed by a copycat VMS worm the following year). After that, though, we waited quite a while for a real mass mailer epidemic and for the big network worms of this decade. Melissa managed to mark both the beginning of heavy duty mass mailers and the end (or at least the decline) of macro malware. Yet there are no full stops here. In 2008, we’re still seeing new(-ish) stuff cheek-by-jowl with the sort of malware we’ve mostly forgotten about: old-time boot sector viruses and new-age MBR rootkits; macro viruses and office suite exploits; overflows and drive-bys; and an endless loop of social engineering tricks (phishes, 419s, fake admin messages, fake codecs, fake updates…) The only really substantial change is the disappearance of the hobbyist hacker/malware author, promoted into full-blown cyber-criminality.

It seems that what we really need to patch is human nature: the evil gene, the greed gene, the careless gene, the “what’s a patch?” gene, the “I can click on anything because I have anti-virus software” gene…


  • Rob

    Technical issues aside, one of the most important aspects of the Morris Worm was the impetus to form the CERT/CC (and a multitude of other CERTs worldwide) to improve coordination between incident responders.

  • David Harley

    Good point. This would be a very different (and even more insecure) world without CERTs…

  • Bruce Ediger

    “Morris was followed by a copycat VMS worm the following year”

    Are you sure you’re not confusing Dec 1988′s “Father Christmas” DecNet worm with 1989′s WANK/OILZ worm?

    You used to be able to find HI.COM (1988 worm) source code on the web, and I’ve heard that the WANK code may not even exist anywhere anymore, but those two worms are quite different.

  • David Harley

    I’m not sure what you think I’m confusing with what. W.COM owed a great deal both to HI.COM and to the Morris worm.

  • http://www.dgreetings.com Birthday Cards

    Its funny virus also have birthdays